1

I have succesfully tested the Spring Saml example to validate against SSO Circle. I wanted to change the IDP to Ping and followed the steps mentioned in this post Configuring Spring SAML for SSO with PingFederate

On successful login, I am brought back to the discovery page at server/saml-sample/saml/discovery/alias/defaultAlias?entityID=entity id

I am expecting to see the information sent back from Ping like General information, Principal's Attributes, Subject confirmation etc. What am I missing.

Appreciate any help in this regard as there is very little information available.

Update : Sharing the log file

The log is too long to be pasted here. I have uploaded it on dropbox

https://www.dropbox.com/s/fe0y252ypnqa2m7/log.txt

Thanks

Community
  • 1
  • 1
mzee
  • 13
  • 1
  • 4
  • Can you please enable logging as is described in the Spring SAML manual and post the result? – Vladimír Schäfer Jul 03 '14 at 20:52
  • I have posted the log on dropbox. – mzee Jul 15 '14 at 15:49
  • From the logs it seems that Spring SAML sends an AuthnRequest, but never receives a reply back from Ping. Are you successfully redirected to Ping and can authenticate there? Can you intercept the HTTP messages sent through your browser (for example using the tools included in Chrome) and post the result? – Vladimír Schäfer Jul 15 '14 at 20:42
  • Yes, i am directed to ping, my credentials are authenticated and I get redirected back to the app. It doesnt ask for a credentials for subsequent login attempts unless I clear the history (Single Signout has not yet been enabled). Here is the link to the http messages (https://www.dropbox.com/s/o0i2dmu2jyaojsg/saml-response.txt) after successful login – mzee Jul 16 '14 at 14:07

1 Answers1

0

Based on your HTTP dump it seems that the URL to which Ping sends the response is wrong. The log says that the SAML Resposne is sent to Request URL:http://server/saml-sample/, while the correct URL should be Request URL:http://server/saml-sample/saml/SSO.

This would explain why isn't there any mention of a received SAML Resposne in your logs and use is send directly back to the entry point.

You will need to update your Ping configuration to use correct URLs of your service provider.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
  • I now get an exception that I have shared this with the Ping Admin org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message Caused by: org.opensaml.common.SAMLException: Response doesn't have any valid assertion which would pass subject validation at org.springframework.security.saml.websso.WebSSOProfileConsumerImpl.processAuthenticationResponse(WebSSOProfileConsumerImpl.java:229) ..29 more Caused by: org.opensaml.common.SAMLException: Assertion invalidated by subject confirmation - can't be confirmed by the bearer method ..30 more – mzee Jul 16 '14 at 18:14
  • This could be caused for example by lack of time synchronization between your Spring SAML and Ping. The log should contain additional details about reason for the failure, please post the updated one with debug level for Spring SAML enabled. – Vladimír Schäfer Jul 16 '14 at 18:27
  • I have updated the log (https://www.dropbox.com/s/fe0y252ypnqa2m7/log.txt). and it does look like I get a response back. – mzee Jul 16 '14 at 19:47
  • The error is "Bearer SubjectConfirmation invalidated by recipient assertion consumer URL, found http://server/saml-sample/saml/SSO". You will need to change that AssertionConsumerURL on Ping side once again and make sure to use exactly the same value as in your SP metadata (probably http://server/saml-sample/saml/SSO/alias/defaultAlias) - I should have mentioned this earlier. – Vladimír Schäfer Jul 16 '14 at 20:29
  • I got that changed but it still gives the same error. Bearer SubjectConfirmation invalidated by recipient assertion consumer URL, found http://server/saml-sample/saml/SSO/alias/defaultAlias. I compared that to the reponse from SSO Circle and the only difference is the addition of a port number, should that make a difference? SSO Circel value http://server:80/saml-sample/saml/SSO/alias/defaultAlias – mzee Jul 16 '14 at 20:47
  • I checked the verifyEndpoint method and it does a String comparison. Changed the url to include the port and it worked! Thanks!!!!!!!!! – mzee Jul 16 '14 at 22:15